LiveActive security incident?Get immediate response
CVE Record

CVE-2022-48941: ice: fix concurrent reset and removal of VFs

In the Linux kernel, the following vulnerability has been resolved: ice: fix concurrent reset and removal of VFs Commit c503e63200c6 ("ice: Stop processing VF messages during teardown") introduced a driver state flag, ICE_VF_DEINIT_IN_PROGRESS, which is intended to prevent some issues with concurrently handling messages from VFs while tearing down the VFs. This change was motivated by crashes caused while tearing down and bringing up VFs in rapid succession. It turns out that the fix actually introduces issues with the VF driver caused because the PF no longer responds to any messages sent by the VF during its .remove routine. This results in the VF potentially removing its DMA memory before the PF has shut down the device queues. Additionally, the fix doesn't actually resolve concurrency issues within the ice driver. It is possible for a VF to initiate a reset just prior to the ice driver removing VFs. This can result in the remove task concurrently operating while the VF is being reset. This results in similar memory corruption and panics purportedly fixed by that commit. Fix this concurrency at its root by protecting both the reset and removal flows using the existing VF cfg_lock. This ensures that we cannot remove the VF while any outstanding critical tasks such as a virtchnl message or a reset are occurring. This locking change also fixes the root cause originally fixed by commit c503e63200c6 ("ice: Stop processing VF messages during teardown"), so we can simply revert it. Note that I kept these two changes together because simply reverting the original commit alone would leave the driver vulnerable to worse race conditions.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This Linux kernel issue can crash systems that use the ice network driver with virtual functions. The failure comes from a race during VF reset and removal, where cleanup can overlap with active VF work and cause memory corruption or panics. The sources do not provide CVSS scoring or evidence of active exploitation.

Executive priority

Treat this as targeted operational risk for hosts using ice virtual functions, especially virtualization or network-heavy systems. Prioritize patch verification on those systems, but avoid broad emergency response unless your environment depends on this driver path.

Technical view

The ice driver previously stopped responding to VF messages during teardown, but that allowed VF DMA memory removal before PF queue shutdown. A VF reset could also race with VF removal. The fix protects reset and removal flows with the existing VF cfg_lock and reverts the earlier teardown flag behavior.

Likely exposure

Exposure appears limited to Linux systems running affected kernel versions with the ice driver and VF functionality in use. Systems not using this driver or virtual functions are less likely to be exposed based on the provided description.

Exploitation context

CISA KEV is false in the bundle, and no cited source reports active exploitation. The described trigger is a concurrency condition around VF reset and removal, with impact stated as memory corruption and kernel panics.

Researcher notes

The key security-relevant behavior is memory corruption from concurrent VF reset and removal. The fix serializes critical VF operations using cfg_lock and removes the incomplete ICE_VF_DEINIT_IN_PROGRESS approach. Evidence is incomplete for exploitability beyond crash or corruption.

Mitigation direction

  • Upgrade to a Linux kernel containing the referenced stable fixes.
  • Check distribution or vendor kernel advisories for backported fixes.
  • Prioritize hosts using ice virtual functions in production networking.
  • Avoid relying on the earlier teardown flag behavior as a mitigation.

Validation and detection

  • Inventory Linux kernels against the affected version information in the CVE bundle.
  • Identify hosts loading the ice driver with configured virtual functions.
  • Confirm patched kernels include one of the referenced stable commits or equivalent backport.
  • Review kernel logs for panics during VF teardown, reset, or rapid reconfiguration.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-48941 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
4Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxc503e63200c679e362afca7aca9d3dc63a0f45ed, c503e63200c679e362afca7aca9d3dc63a0f45ed, c503e63200c679e362afca7aca9d3dc63a0f45ed, 8a08142433624fd1088bc8c13639408cf4e1707cunaffected
LinuxLinux5.14, 0, 5.15.26, 5.16.12, 5.17affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.